DoD 8140: How Does It Affect You?

In August 2015, the Department of Defense signed into effect DoD 8140 Cyberspace Workforce Management Policy. This directive immediately replaced the DoD 8570 directive, or did it?

DoD 8140: The Breakdown

DoD 8140 has been in effect for the better part of two years. However, the Department of Defense has yet to create a manual that outlines the specifics of the new directive. In order to rectify the lack of 8140 manual, the directive states that personnel will continue following DoD 8570.01M.

You may wonder if there is not a DoD 8140 manual, why did the Department of Defense issue the new directive? DoD 8140 aligns to allow inclusion of  the existing policies of the National Cybersecurity Workforce Framework (NCWF) designed by the National Initiative for Cybersecurity Education (NICE). The NCWF defines the most common jobs in cybersecurity into the functions, duties, and responsibilities. NCWF contains 7 specialty areas:

1. Analyze
2. Collect and Operate
3. Investigate
4. Operate and Maintain
5. Oversight and Development
6. Protect and Defend
7. Securely Provision.

Therefore, DoD 8140 assures that personnel in the cybersecurity workforce have the necessary hands-on knowledge for their job functions, in addition to the relevant certifications. The new directive expands and updates the existing policies of the current DoD cybersecurity workforce. Further defining the policies and responsibilities of personnel in the Department of Defense Information Assurance cybersecurity workforce.

Hard Requirements of DoD 8140

Certification is necessary for the following:

• All personnel performing IAT and IAM functions
• All personnel performing CSSP and IASAE roles
• Personnel categorized as ‘Technical’ or ‘Management’ level I, II, or III

EXACTLY Who Are These Personnel?

• All part or full-time military service members, contractors, and civilians with privileged access to DoD information systems
• Office of the Secretary of Defense
• Military Departments
• Chairman of the Joint Chiefs of Staff
• Combatant Commands
• Office of the Inspector General of the DoD
• Defense Agencies
• All other organizational entities in the DoD

What Kind of Certification Will You Need?

All people mentioned in the list above fall into different categories and levels; therefore, their certification needs will vary. However, no matter what level, all personnel must have the baseline approved certifications.

Although we don’t know what the exact manual will look like at this point we do know that DoD 8140 will have at least two categories: Information Assurance Technical (IAT) and Information Assurance Management (IAM). It is rumored that there will still be three levels like 8570.01M and that they will be reclassified with level I being renamed as apprentice. The current manual 8570.01M is divided into three categories: IA Technical, IA Management, and IA System Architecture and Engineering, with three levels I, II, and III. The chart below outlines the baseline approved certifications under 8570.01M.